Website Security Vulnerabilities Disclosures Board
When our online bug scanner (ScanForBugs.Online) identifies a High/ Critical & Certain vulnerability, we contact the concerned entity & inform them about it.
The bug may be disclosed here, subject to reduction as may be necessary to ensure users' privacy & security of the system.
Vulnerable Websites
cpmini.strathmore.edu
- Bug: Unauthorized source-code exposure at cpmini.strathmore.edu
- Description: Unauthorized source-code exposure at cpmini.strathmore.edu due to server misconfiguration
- Severity: Critical
- Confidence: Certain
- For details on how to reproduce the bug & fix it: [scan cpmini.strathmore.edu Here]
#Source-code of /ussd.php
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = "SELECT * FROM $usertable WHERE pin = $id LIMIT 1";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result)
$response="CON ".$row["sname"]." 1. Schedule an Appointment \n 2. Reschedule your Appointment \n 3. Request Test Result";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Enter Second Name \n\n 0:Back 99:Main Menu";
}
}
else if(isset($level[2]) && $level[2]!="" && !isset($level[3])){
if ( $level[0]==2) {
$response="CON 1. HIV/AIDS Appointment \n 2. Malaria Appointment \n 3. Tuberculosis Appointment";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Enter National ID \n\n 0:Back 99:Main Menu";
}
}
else if(isset($level[3]) && $level[3]!="" && !isset($level[4])){
if ( $level[0]==2) {
$response="CON When do you want to book Appointment \n 1. January 15th 2018 \n 2. January 30th 2018 \n 3. February 3rd ,2018 \n 4. February 10th 2018";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Enter County \n\n 0:Back 99:Main Menu";
}
}
else if(isset($level[4]) && $level[4]!="" && !isset($level[5])){
if ( $level[0]==2) {
$response="CON Available Slots \n 1. 9:00 - 9:30 \n 2. 11:00 - 11:30 \n 3. 2:00 - 2:30 \n 4. None of them Works";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Enter Year of Birth \n\n 0:Back 99:Main Menu";
}
}
else if(isset($level[5]) && $level[5]!="" && !isset($level[6])){
if ( $level[0]==2) {
$response="CON You reserved the following slot for HIV/AIDS diagnosis for Tuesday January 30th 2018 from 2:00 - 2:30 pm. Reply 1 to Confirm and 2 to Cancel";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Select the Gender .\n 1. Male \n 2. Female \n 3. Other";
}
}
else if(isset($level[6]) && $level[6]!="" && !isset($level[7])){
if ( $level[0]==2) {
$response="CON Confirmed Appointment for HIV/AIDS diagnosis for Tuesday January 30th 2018 from 2:00 - 2:30 pm. \n Confirmation Code #26535353";
}else if( $level[0]=="")
{
$response="END Wrong Input, Try Again";
}else{
$response="CON Enter New Cumasu PIN \n\n 0:Back 99:Main Menu";
}
}
else if(isset($level[7]) && $level[7]!="" && !isset($level[8])){
$response="CON Re-Enter Cumasu PIN \n\n 0:Back 99:Main Menu";
}
//Save data to database
else if(isset($level[8]) && $level[8]!="" && !isset($level[9])){
//Save data to database
// $data=array(
// 'phonenumber'=>$phonenumber,
// 'fullname' =>$level[1],
// 'electoral_ward' => $level[2],
// 'national_id'=>$level[3]
// );
//Insert the values into the db SOMEWHERE HERE!!
//We end the session using the keyword END.
$fname=$level[1];
$sname=$level[2];
$national_id=$level[3];
$county=$level[4];
$yob=$level[5];
$gender=$level[6];
$pin=$level[7];
$pinold=$level[8];
if($pin==$pinold){
$response="CON User Registration Successful.. ".$fname." \n\n 0:Back 99:Main Menu";
//$response="END Thank you ".$full_name.$email.$phone_number." for registering.\nWe will keep you updated";
$servername = "localhost";
$username = "county";
$password = "cpmini#2017";
$dbname = "cpmini_kajiado_test";
header('Content-type: text/plain');
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO user_cumasu (fname, sname, national_id, county, yob, gender, pin) VALUES('$fname' ,'$sname' ,'$national_id' ,'$county' ,'$yob' ,'$gender' ,'$pin')";
// $sql = "INSERT INTO customer (phone, email, full_name) VALUES('$full_name' ,'$email' ,'$phone_number')";
$conn->exec($sql);
}else{
$response="CON The PIN does not match";
}
}
header('Content-type: text/plain');
if($sql==""){
echo $response;
}else{
// $sth->execute();
// echo"Response Ending";
echo $response;
}
//}
?>
online.strathmore.edu
- Bug: Unauthorized Access to Application Source Code at online.strathmore.edu
- Description: The website's source code is publicly accessible due to a server misconfiguration.
- Severity: Critical
- Confidence: Certain
- For details on how to reproduce the bug & fix it: [scan online.strathmore.edu Here]
#Source Code of File: online.strathmore.edu/enrol/otherusers.php
.
/**
* List and modify users that are not enrolled but still have a role in course.
*
* @package core_enrol
* @copyright 2010 Petr Skoda {@link http://skodak.org}
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require('../config.php');
require_once("$CFG->dirroot/enrol/locallib.php");
require_once("$CFG->dirroot/enrol/renderer.php");
require_once("$CFG->dirroot/group/lib.php");
$id = required_param('id', PARAM_INT); // course id
$action = optional_param('action', '', PARAM_ALPHANUMEXT);
$filter = optional_param('ifilter', 0, PARAM_INT);
$course = $DB->get_record('course', array('id'=>$id), '*', MUST_EXIST);
$context = context_course::instance($course->id, MUST_EXIST);
require_login($course);
require_capability('moodle/course:reviewotherusers', $context);
if ($course->id == SITEID) {
redirect("$CFG->wwwroot/");
}
$PAGE->set_pagelayout('admin');
$manager = new course_enrolment_manager($PAGE, $course, $filter);
$table = new course_enrolment_other_users_table($manager, $PAGE);
$PAGE->set_url('/enrol/otherusers.php', $manager->get_url_params()+$table->get_url_params());
navigation_node::override_active_url(new moodle_url('/enrol/otherusers.php', array('id' => $id)));
$userdetails = array (
'picture' => false,
'userfullnamedisplay' => false,
'firstname' => get_string('firstname'),
'lastname' => get_string('lastname'),
);
$extrafields = get_extra_user_fields($context);
foreach ($extrafields as $field) {
$userdetails[$field] = get_user_field_name($field);
}
$fields = array(
'userdetails' => $userdetails,
'lastaccess' => get_string('lastaccess'),
'role' => get_string('roles', 'role')
);
// Remove hidden fields if the user has no access
if (!has_capability('moodle/course:viewhiddenuserfields', $context)) {
$hiddenfields = array_flip(explode(',', $CFG->hiddenuserfields));
if (isset($hiddenfields['lastaccess'])) {
unset($fields['lastaccess']);
}
}
$table->set_fields($fields, $OUTPUT);
//$users = $manager->get_other_users($table->sort, $table->sortdirection, $table->page, $table->perpage);
$renderer = $PAGE->get_renderer('core_enrol');
$canassign = has_capability('moodle/role:assign', $manager->get_context());
$users = $manager->get_other_users_for_display($renderer, $PAGE->url, $table->sort, $table->sortdirection, $table->page, $table->perpage);
$assignableroles = $manager->get_assignable_roles(true);
foreach ($users as $userid=>&$user) {
$user['picture'] = $OUTPUT->render($user['picture']);
$user['role'] = $renderer->user_roles_and_actions($userid, $user['roles'], $assignableroles, $canassign, $PAGE->url);
}
$table->set_total_users($manager->get_total_other_users());
$table->set_users($users);
$PAGE->set_title($course->fullname.': '.get_string('totalotherusers', 'enrol', $manager->get_total_other_users()));
$PAGE->set_heading($PAGE->title);
echo $OUTPUT->header();
echo $renderer->render($table);
echo $OUTPUT->footer();
https://k24tv.co.ke/
- Bug: Unauthorized Access to Application Source Code at https://K24tv.co.ke
- Description: The application's source code is publicly accessible due to a server misconfiguration.
- Severity: Critical
- Confidence: Certain
- For details on how to reproduce the bug & fix it: [scan https://k24tv.co.ke/ Here]
Snippet of file: wp-config.php:
//define( 'DB_NAME', 'k24tv_20190623' );
define( 'DB_NAME', 'mediamax_k24tv_wp');
define( 'DB_USER', 'mediamax');
define( 'DB_PASSWORD', 'vSTgz6ZRc8' );
define( 'DB_HOST', 'localhost' );